And server is under Amazon EC2, but that shouldn't really make any sense
2015-08-29 0:11 GMT+03:00 Alexandru Covalschi 568691@gmail.com:
Forgot to add cat /etc/issue Debian GNU/Linux 8 \n \l
kamailio -V version: kamailio 4.3.1 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 4.9.2
openssl version OpenSSL 1.0.1k 8 Jan 2015
2015-08-28 20:01 GMT+03:00 Alexandru Covalschi 568691@gmail.com:
Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/